Daily Brief

Poland's energy grid faced a cyberattack in December 2025, attributed to the Russian state-sponsored group Sandworm, aiming to deploy destructive DynoWiper malware. Sandworm, linked to Russia's GRU, has a history of disruptive attacks, including a similar incident on Ukraine's energy grid a decade ago. The attack targeted two combined heat and power plants and a management system for renewable energy sources, according to Polish officials. DynoWiper, identified by ESET as Win32/KillFiles.NMO, is designed to render operating systems unusable by deleting files, necessitating system rebuilds or reinstalls. Polish Prime Minister Donald Tusk confirmed the attack's links to Russian services, emphasizing the geopolitical implications of such cyber activities. ESET provided limited technical details on DynoWiper, and no samples have been found on major malware submission platforms. Recommendations include reviewing Microsoft's February 2025 report on Sandworm for insights into defending against similar threats. Sandworm's recent activities also include attacks on Ukraine's education, government, and grain sectors, indicating a pattern of targeting critical infrastructure.

The Konni hacking group, linked to North Korea, is targeting blockchain developers with AI-generated PowerShell malware, aiming to compromise sensitive assets and cryptocurrency holdings. This campaign, observed by Check Point researchers, primarily affects the Asia-Pacific region, with malware submissions from Japan, Australia, and India. Attackers use Discord-hosted links to deliver ZIP archives containing a PDF lure and a malicious LNK file, which initiates the malware deployment process. The malware employs AI-assisted development techniques, featuring structured documentation and modular design, indicative of large language model-generated code. Upon execution, the malware conducts hardware and software checks to evade analysis environments, then establishes a connection with a command-and-control server. The attack's objective is to infiltrate development environments, potentially accessing infrastructure, API credentials, and cryptocurrency wallets. Indicators of compromise (IoCs) have been released to aid in defending against this threat, emphasizing the need for enhanced security measures in targeted sectors.

A sophisticated phishing campaign is targeting Russian users with ransomware and Amnesia RAT, leveraging business-themed documents as social engineering lures. Attackers use GitHub and Dropbox to distribute scripts and payloads, complicating takedown efforts and enhancing campaign resilience. The campaign exploits the Defendnot tool to disable Microsoft Defender, tricking it into believing another antivirus is installed. Malicious LNK files with deceptive extensions initiate PowerShell scripts, which establish a foothold and communicate success via Telegram. The final payload, Amnesia RAT, enables extensive data theft and remote control, targeting web browsers, cryptocurrency wallets, and communication platforms. The ransomware component encrypts critical files and manipulates cryptocurrency transactions, while WinLocker restricts user interaction. Microsoft advises enabling Tamper Protection to prevent unauthorized changes to Defender settings and monitoring suspicious API calls. The campaign reflects a trend of using native Windows features and administrative tools to bypass defenses and deploy persistent malware.

The UK Home Office plans to invest up to £100 million in intelligence technology to address the issue of small boats crossing the English Channel. The Border Security Command seeks a maritime situational awareness system to autonomously detect, track, and identify small and non-cooperative vessels. This initiative involves merging land-based intelligence with the Joint Maritime Security Centre's existing Maritime Domain Awareness service for enhanced operational decision-making. The system will integrate data from drones, satellites, and radar to provide real-time tracking and alerts through a "Tracks as a Service" model. The contract, potentially lasting up to five years, aims to bolster the UK's maritime security and response to clandestine entry. A supplier portal will offer camera feeds and alternative track displays, ensuring adaptability for urgent operational needs across UK territories. Since 2017, private companies have secured approximately £3.5 billion in UK border security contracts, highlighting significant investment in managing Channel crossings.

AI agents are increasingly used to enhance productivity by automating tasks such as scheduling, data access, and workflow management across enterprises. Unlike traditional user accounts, AI agents often receive broad access permissions, complicating ownership and accountability, which can lead to security risks. AI agents operate autonomously with delegated authority, potentially performing actions beyond the initial user’s permissions, creating exposure risks. The lack of clear ownership and lifecycle management for organizational AI agents poses significant risks, as they can accumulate permissions over time. Enterprises must redefine risk management for AI agents, treating them as high-risk entities with distinct identities and permissions. Establishing clear ownership, mapping user-agent interactions, and monitoring agent access are critical steps to mitigate risks associated with AI agents. Without proper governance, organizational AI agents may transform productivity gains into systemic security vulnerabilities within the enterprise.

The Russian hacking group Sandworm attempted a significant cyber attack on Poland's power infrastructure using new wiper malware, DynoWiper, in late December 2025. Polish energy minister confirmed the attack as the largest on the nation's power system in recent years, though it failed to cause disruption. ESET linked the attack to Sandworm based on similarities with past operations, particularly those following Russia's 2022 invasion of Ukraine. The attack targeted two CHP plants and systems managing renewable energy sources, but no successful disruption was reported. Polish Prime Minister announced plans for enhanced cybersecurity measures, including legislation to strengthen IT and OT system protections. The attack coincided with the tenth anniversary of Sandworm's infamous 2015 cyber assault on Ukraine's power grid. Sandworm's history of targeting critical infrastructure, notably in Ukraine, continues with the deployment of various wiper malware variants.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added VMware vCenter flaw CVE-2024-37079 to its Known Exploited Vulnerabilities catalog due to active exploitation. This critical vulnerability, with a CVSS score of 9.8, involves a heap overflow in the DCE/RPC protocol, enabling remote code execution via crafted network packets. Discovered by QiAnXin LegendSec researchers, the flaw was patched by Broadcom in June 2024, alongside another heap overflow vulnerability, CVE-2024-37080. Broadcom confirmed in-the-wild exploitation of CVE-2024-37079, though details on the threat actor or attack scale remain unclear. Federal Civilian Executive Branch agencies must update to the latest version by February 13, 2026, to mitigate potential risks. The vulnerabilities are part of a set of four flaws, including privilege escalation, that could lead to unauthorized root access on ESXi. The discovery underscores the importance of timely patching and monitoring of critical infrastructure to prevent exploitation.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed it will not attend the RSA Conference, a major industry event, citing a focus on core mission priorities. This decision follows the appointment of former CISA director Jen Easterly as CEO of the RSA Conference, sparking speculation of a boycott by Trump-era cybersecurity officials. Historically, federal cyber officials have been prominent at RSAC, with active speaking roles and engagements with industry stakeholders. The absence of CISA at this event marks a shift in agency engagement under current leadership, focusing on aligning with administration policies. Easterly's recent appointment at RSAC has stirred controversy, leading to discussions among federal cybersecurity offices about their participation. The move reflects ongoing political dynamics affecting cybersecurity leadership and event participation within federal agencies. The decision may impact CISA's visibility and influence in industry discussions and collaborations at the RSA Conference.

ShinyHunters, a cyber extortion group, has claimed responsibility for a series of voice phishing attacks targeting single sign-on (SSO) accounts at major platforms like Okta, Microsoft, and Google. These attacks involve impersonating IT support to deceive employees into revealing credentials and multi-factor authentication codes on phishing sites mimicking company portals. Once SSO accounts are compromised, attackers gain access to a range of connected enterprise applications, posing significant risks to corporate data security. Okta reported that phishing kits used in these attacks include web-based control panels, enabling attackers to manipulate what victims see during the phishing process. ShinyHunters has relaunched its data leak site on Tor, listing breaches at companies such as SoundCloud, Betterment, and Crunchbase, with confirmed data theft incidents. The group uses previously stolen data, including employee details, to enhance the effectiveness of their social engineering tactics in these attacks. Companies impacted by these breaches are engaging cybersecurity experts and law enforcement to mitigate risks and secure their systems. The incidents underscore the critical need for robust security measures around SSO implementations and employee awareness training to prevent such breaches.

A critical vulnerability in VMware vCenter Server, CVE-2024-37079, is being actively exploited over a year after a patch was released. The flaw, an out-of-bounds write in the DCERPC protocol, presents a severe risk with a CVSS score of 9.8, potentially allowing remote code execution. Both Broadcom and CISA have issued warnings, with CISA adding the vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by February 13. Despite the patch's availability since June 2024, exploitation continues, with details on the scope and actors involved still unclear. Virtualization infrastructure, including vCenter Server, remains a prime target for both nation-state actors and cybercriminals. Previous vulnerabilities in the same protocol have been exploited by China-linked threat groups, indicating the persistent interest in such targets. Organizations are urged to ensure vCenter Servers are not exposed to the internet and to apply patches promptly to mitigate risks.

Microsoft reportedly supplied the FBI with BitLocker encryption keys to access laptops involved in a fraud case, marking the first known instance of such cooperation. The case involves defendants in Guam accused of fraudulently collecting pandemic unemployment benefits, highlighting potential risks for users relying on Microsoft-managed encryption. BitLocker, a Windows security feature, typically backs up encryption keys to Microsoft servers if set up with an active Microsoft account, unless users choose alternative storage options. Microsoft emphasizes that while they do not provide their own encryption keys to governments, they may supply customer keys if stored on their servers. The incident raises concerns for organizations with high privacy needs, as Microsoft's default key management practices may not align with their security requirements. Microsoft receives approximately 20 requests annually for BitLocker keys, but can only fulfill these if customers have opted for cloud storage of their keys. The situation underscores the balance Microsoft maintains between data recoverability and privacy, potentially impacting its suitability for privacy-focused entities.

Two AI-based extensions on Microsoft’s VSCode Marketplace, installed 1.5 million times, are exfiltrating developer data to servers in China without user consent. These extensions, part of a campaign named 'MaliciousCorgi', utilize shared code and infrastructure to steal sensitive information. The extensions employ three data-collection methods, including real-time file monitoring and server-controlled file harvesting, to capture and transmit developer data. A zero-pixel iframe in the extensions’ webview loads analytics SDKs for user profiling, device fingerprinting, and activity monitoring. Risks include exposure of private source code, configuration files, and API credentials, posing significant security threats to developers and organizations. Microsoft has been contacted regarding these extensions, but no response has been received; communication with the publisher remains unestablished. This incident underscores the critical need for vigilance in monitoring third-party extensions and ensuring secure development environments.

ShinyHunters claims responsibility for a voice-phishing campaign targeting Okta, compromising Crunchbase, Betterment, and SoundCloud, with data leaks affecting millions of users. The breach involved stealing Okta single-sign-on codes, allowing unauthorized access to Crunchbase and Betterment, leading to significant data exposure. SoundCloud confirmed a breach affecting 20% of its user base, translating to approximately 28 million users, but denies Okta credentials were used. The leaked data includes personally identifiable information, signed contracts, and corporate data, posing significant privacy and security risks. Okta has issued warnings about ongoing voice-phishing threats targeting Google, Microsoft, and Okta accounts, urging heightened vigilance. The incident reflects a broader trend of social engineering attacks exploiting identity services, necessitating robust security measures and user awareness. ShinyHunters hints at additional, undisclosed victims in the Okta campaign, raising concerns about the potential scale of the breach. Organizations are advised to review security protocols and enhance defenses against sophisticated phishing schemes to mitigate similar threats.

CISA has identified active exploitation of four vulnerabilities affecting enterprise software from Versa, Zimbra, Vite, and Prettier, now listed in the Known Exploited Vulnerabilities catalog. CVE-2025-31125 involves improper access control in the Vite framework, exposing non-allowed files when servers are network-exposed; patches are available for affected versions. A critical authentication bypass in Versa Concerto SD-WAN, CVE-2025-34026, results from a reverse proxy misconfiguration, potentially exposing sensitive administrative endpoints. The eslint-config-prettier package, impacted by CVE-2025-54313, suffered a supply-chain attack, leading to malicious code execution and theft of npm authentication tokens. Zimbra Collaboration Suite's Webmail Classic UI faces a local file inclusion risk via CVE-2025-68645, allowing unauthorized file access through improper parameter handling. Federal agencies are mandated to apply security updates, implement vendor-suggested mitigations, or discontinue product use by February 12, 2026, as per BOD 22-01. The current exploitation details remain undisclosed, and the vulnerabilities' potential use in ransomware attacks is still uncertain.

Google security leaders caution that AI-driven cyberattack tools could emerge within years, transforming the threat landscape and enabling large-scale automated attacks. Current AI applications in cybercrime include enhancing phishing tactics and automating minor tasks, signaling a shift towards more comprehensive AI exploitation. Google's Threat Intelligence Group reports AI misuse by nation-states like China, Iran, and North Korea for reconnaissance and command-and-control development. Concerns grow over the potential democratization of threats, akin to the impact of exploit kits like Metasploit, which simplified post-compromise operations for attackers. A worst-case scenario involves AI autonomously executing ransomware or other malicious actions, posing significant challenges to traditional defense mechanisms. Future cybersecurity success may depend on minimizing damage and intrusion duration, rather than preventing breaches outright, as AI tools evolve. Organizations are urged to prepare for AI-enabled defenses, focusing on real-time disruption capabilities and adaptive strategies to counteract emerging AI threats.